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Abstract 


We  consider  the  language  inclusion  problem  for  timed  automata:  given  two  timed 
automata  A  and  B,  are  all  the  timed  traces  accepted  by  B  also  accepted  by  A1 
While  this  problem  is  known  to  be  undecidable,  we  show  here  that  it  becomes 
decidable  if  A  is  restricted  to  having  at  most  one  clock.  This  is  somewhat  sur¬ 
prising,  since  it  is  well-known  that  there  exist  timed  automata  with  a  single 
clock  that  cannot  be  complemented.  The  crux  of  our  proof  consists  in  reducing 
the  language  inclusion  problem  to  a  reachability  question  on  an  infinite  graph; 
we  then  construct  a  suitable  well-quasi-order  on  the  nodes  of  this  graph,  which 
ensures  the  termination  of  our  search  algorithm. 

We  also  show  that  the  language  inclusion  problem  is  decidable  if  the  only  con¬ 
stant  appearing  among  the  clock  constraints  of  A  is  zero.  Moreover,  these  two 
cases  are  essentially  the  only  decidable  instances  of  language  inclusion,  in  terms 
of  restricting  the  various  resources  of  timed  automata. 
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1  Introduction 

Timed  automata  were  introduced  by  Alur  and  Dill  in  [5]  and  have  since  be¬ 
come  a  standard  modeling  formalism  for  real-time  systems.  Unfortunately,  the 
algorithmic  analysis  of  timed  automata  is  limited  by  the  undecidability  of  the 
language  inclusion  problem  (given  two  timed  automata  A  and  B,  are  all  the 
timed  traces  accepted  by  B  also  accepted  by  A?)  [5].  In  spite  of  this  hindrance, 
there  has  been  much  research  in  the  last  decade  on  various  aspects  of  timed 
language  inclusion — see,  e.g.,  [27,  19,  17,  9,  12,  23,  6,  26,  11,  7,  21,  25,  24].  In 
this  paper,  we  show  that,  if  the  timed  automaton  A  is  restricted  to  having  a 
single  clock,  the  language  inclusion  question  of  whether  L{B)  C  L{A)  becomes 
decidable. 

This  is  somewhat  surprising,  since  the  vast  majority  of  decidable  instances 
of  language  inclusion  among  both  timed  and  untimed  computational  models 
proceed  by  complementation  and  emptiness  checking  of  the  intersection  [15]: 
L{B)  C  L{A)  iff  L{B)  D  L{A)  =  0.  However,  it  is  well-known  that  there  ex¬ 
ist  timed  automata  with  a  single  clock  that  cannot  be  complemented,  which 
precludes  any  (direct)  use  of  the  above  equivalence. 

We  solve  the  timed  automaton  language  inclusion  problem  L{B)  C  L{A),  in 
which  A  is  assumed  to  have  at  most  one  clock,  by  converting  it  to  a  reachability 
problem  on  an  infinite  ‘joint  state  space’  of  A  and  B.  This  procedure  requires 
us  to  determinize  and  complement  A  on-the-fly,  creating  an  unbounded  object. 
Fortunately,  we  are  able  to  construct  a  suitable  well-quasi-order  on  the  state 
space,  which  ensures  termination. 

We  also  show  that  the  timed  automaton  language  inclusion  problem  L{B)  C 
L{A)  is  decidable  if  the  only  constant  appearing  among  the  clock  constraints  of  A 
is  zero  (in  this  case,  of  course,  both  timed  automata  are  allowed  arbitrarily  many 
clocks).  Interestingly,  no  other  set  of  ‘reasonable’  restrictions  on  the  resources 
of  timed  automata  (number  of  clocks,  number  of  locations,  magnitude  of  clock 
constraints,  and  size  of  alphabet)  yields  a  decidable  language  inclusion  problem. 

The  results  presented  in  this  paper  paint  a  fairly  complete  theoretical  picture 
of  the  language  inclusion  problem  for  timed  automata.  We  believe  that  they  also 
have  promising  practical  applications,  as  we  now  argue. 

In  software  engineering,  it  is  common  to  have  several  representations  of  a 
system  under  development,  at  different  levels  of  abstraction.  One  of  the  most 
widespread  abstraction  and  specification  formalisms  is  that  of  finite-state  ma¬ 
chines — see,  e.g.,  [10,  18,  20].  The  intention  is  that  more  concrete  representations 
of  the  system,  including  in  particular  any  proposed  implementation,  should  al¬ 
ways  conform  to  the  abstract  specification.  A  standard  notion  of  conformance 
is  that  of  (untimed)  language  inclusion:  every  trace  of  the  system  should  also 
be  a  trace  of  the  specification.  Unfortunately,  finite-state  machines  are  time- 
abstract,  in  that  they  do  not  incorporate  timing  details.  However,  for  many 
systems  (such  as  communication  protocols  or  plant  controllers),  timing  consid¬ 
erations  can  be  crucial  to  ensure  correctness.  For  this  reason,  many  researchers 
advocate  the  use  of  timed  finite-state  machines  to  represent  specifications,  with 
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timed  language  inclusion  as  the  conformance  relation  between  implementation 
and  specification — see,  e.g.,  [27,  9,  6,  24,  17]. 

Although  this  notion  of  conformance  between  an  implementation  and  a  timed 
specification  is  easy  to  state,  verifying  whether  it  holds,  as  discussed  above,  is 
in  general  undecidable.  The  main  result  of  this  paper,  which  provides  an  algo¬ 
rithm  to  check  timed  language  inclusion  between  implementations  and  single¬ 
clock  timed  specifications,  opens  the  way  to  the  formal  hierarchical  modeling  and 
automated  verification  of  a  large  class  of  systems;  one  such  example  is  the  proto¬ 
col  TCP,  used  to  transmit  information  over  the  Internet,  whose  functional  spec¬ 
ification  can  be  given  as  a  finite-state  machine  equipped  with  a  single  clock  [16, 
pages  15-23]. 

Related  work.  The  first  paper  to  consider  the  timed  automaton  language 
inclusion  question  L{B)  C  L{A)  was  [5],  in  which  the  undecidability  of  the 
general  case  was  established.  Although  the  proof  was  only  sketched,  it  clearly 
showed  that  the  problem  is  undecidable  even  if  A  is  restricted  to  having  two 
clocks.  On  the  other  hand,  the  paper’s  region  automaton  construction,  drawing 
on  earlier  work  [4],  showed  that  the  problem  is  decidable  if  A  is  not  permitted 
the  use  of  any  clock.  The  remaining  case — A  having  a  single  clock — has,  to  the 
best  of  our  knowledge,  never  been  studied  before. 

Several  researchers  have  investigated  timed  automaton  language  inclusion 
under  various  other  assumptions.  Among  others,  we  note  the  use  of  (i)  topological 
restrictions  and  digitization  techniques  [11,  7,  25,  21,  24],  (ii)  fuzzy  semantics  [9, 
12,  23],  (iii)  determinizable  subclasses  of  timed  automata  [6,  26],  and  (iv)  timed 
simulation  relations  and  homomorphisms  [27,  19,  17]. 

Most  decision  algorithms  for  timed  automata  are  based  on  clock  region  con¬ 
structions  [4,  5].  Clock  regions  partition  the  dense  (infinite)  state  space  of  clocks 
into  finitely  many  pieces,  in  such  a  way  that  the  resulting  quotient  exhibits  the 
same  qualitative  behavior  as  the  original  system.  Unfortunately,  this  relationship 
is  not  strong  enough  to  preserve  quantitative  properties  such  as  timed  language 
inclusion. 

Although  the  constructions  we  use  in  this  paper  rely  in  part  on  clock  regions, 
they  give  rise  in  general  to  objects  that  are  intrinsically  infinite.  We  are  able  to 
ensure  termination  of  our  algorithm  by  carefully  manufacturing  and  exploiting 
a  suitable  well-quasi-order  (wqo)  on  our  state  space.  The  use  of  wqos  to  provide 
termination  guarantees  for  algorithms  that  operate  on  infinite  structures  is  cer¬ 
tainly  not  new:  other  decidability  results  include  questions  of  reachability,  main¬ 
tainability,  termination,  coverability/sub-coverability  of  markings  (in  Petri  nets), 
and  simulation  by /of  finite-state  machines.  We  refer  the  reader  to  the  excellent 
surveys  [3,  8]  for  more  details  on  these  matters.  To  our  knowledge,  however,  our 
work  is  the  first  to  apply  the  theory  of  wqos  to  a  language  inclusion  problem. 

The  wqo  we  use  in  this  paper  relies  on  Higman’s  lemma  [14]  and  is  obtained 
through  an  elaborate  process  in  which,  among  others,  we  demonstrate  the  wqo’s 
compatibility  with  the  decision  problem  at  hand.  Other  applications  of  wqos 
based  on  Higman’s  lemma  include  reachability  algorithms  for  lossy  channel  sys- 
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terns  [1]  and  parameterized  networks  of  timed  processes  [2] ;  additional  examples 
can  be  found  in  the  two  surveys  cited  earlier. 

Structure  of  the  paper.  The  next  section  briefly  reviews  the  necessary 
material  on  well-quasi-orders  and  Higman’s  lemma.  Section  3  then  carefully 
presents  the  model  of  timed  automata  we  shall  use  in  this  paper,  along  with 
related  definitions  and  conventions.  We  also  give  an  example  of  a  single-clock 
timed  automaton  that  cannot  be  complemented.  In  Section  4,  we  state  and 
prove  both  of  our  language  inclusion  decidability  results.  Section  5  then  presents 
a  number  of  undecidability  results  about  the  universality  problem,  a  special  case 
of  language  inclusion.  Together,  Sections  4  and  5  essentially  characterize  the  de¬ 
cidable  instances  of  the  language  inclusion  problem  as  a  function  of  the  resources 
allocated  to  timed  automata.  Lastly,  Section  6  offers  conclusions  and  discusses 
future  work. 

2  Well-Quasi-Orders  and  Higman’s  Lemma 

Given  a  set  Q,  a  quasi- order^  on  Q  is  a  reflexive  and  transitive  relation  ^  C 
Qx  Q. 

An  infinite  sequence  {qi,q2,  ■  ■  ■)  in  Q  is  said  to  be  saturating  if  there  exist 
indices  i  <  j  such  that  qi  =4  qj-  A  quasi-order  ^  is  a  well- quasi- order  {wqo  for 
short)  on  Q  if  every  infinite  sequence  in  Q  is  saturating. 

Let  C  be  a  quasi-order  on  A.  Define  the  induced  monotone  domination  order 
^  on  A*,  the  set  of  finite  words  over  A,  as  follows:  oi . . .  Um  ^  &i . . .  if  there 
exists  a  strictly  increasing  function  /  :  {!,...  ,  m}  {1,  •  ■  •  ,n}  such  that,  for 
all  1  ^  i  ^  m,  Oi  C 

The  following  result  is  known  as  Higman’s  lemma  [14]: 

Lemma  1.  If  Q  is  a  wqo  on  A,  then  the  induced  monotone  domination  order 
^  is  also  a  wqo  on  A* . 

Example  2.  Let  A  =  {A,  B, . . .  ,Z}he  the  standard  Roman  alphabet,  and  define 
the  relation  C  on  A  to  be  equality:  x  Q  y  iS  x  =  y.  C  is  clearly  a  wqo  since  A 
is  finite.  The  induced  monotone  domination  order  ^  on  A*  is  then  none  other 
than  the  ‘subword’  order.  For  example,  HIGMAN  =4  HIGHMOUNTAIN  since 
HIGMAN  is  a  subword  of  HIGHMOUNTAIN.  Higman’s  lemma  states  that  ^ 
is  a  wqo:  if  one  starts  writing  down  an  unending  sequence  of  words,  one  will 
eventually  write  down  a  superword  of  an  earlier  word  in  the  sequence. 

3  Timed  Automata 

Let  C  be  a  finite  set  of  clocks,  denoted  x,y,z,  etc.  We  define  the  set  <I>c  of 
clock  constraints  over  C  via  the  following  grammar,  where  k  €  N  stands  for  any 
non-negative  integer,  and  ixi  G  {=,  <,  >,  is  a  comparison  operator: 

<j)  ::=  true  |  xccfc  |  \  (j)  A  (j>  \  (j)U  (f  . 

^  Also  sometimes  called  a  preorder. 
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Definition  3.  A  timed  automaton  is  a  tuple  {IJ,S,So,Sf,C,E),  where 

—  E  is  a  finite  set  (alphabet)  of  events, 

—  S  is  a  finite  set  of  locations, 

—  So  C  S  is  a  set  of  start  locations, 

—  Sf  C  S  is  a  set  of  accepting  locations, 

—  C  is  a  finite  set  of  clocks,  and 

—  ECSxSxEx  <l>c  X  'PiC)  is  a  finite  set  of  transitions.  A  transition 
(s,  s' ,  a,  (j),  R)  allows  a  jump  from  location  s  to  s' ,  communicating  event  a  G  E 
in  the  process,  provided  the  constraint  (j>  on  clocks  is  met.  Afterwards,  the 
clocks  in  R  are  reset  to  zero,  while  all  other  clocks  remain  unchanged. 

Remark  j.  One  finds  many  variants  of  the  definition  of  timed  automaton  in  the 
literature:  allowing  diagonal  clock  constraints  (of  the  form  x  —  y  tx3  k);  allowing 
rational,  rather  than  integer,  bounds  in  clock  constraints;  adding  invariant  clock 
constraints  to  locations.  It  is  however  not  difficult  to  verify  that  our  main  results 
extend  straightforwardly  to  any  combination  of  these  variants. 


For  the  remainder  of  this  section,  we  are  assuming  a  fixed  timed  automaton 


A={E,S,So,Sf,C,E). 

A  clock  valuation  is  a  function  v  :  C  M“'",  where  M“'"  stands  for  the  non¬ 
negative  real  numbers.  If  t  €  M"*",  we  let  ix  + 1  be  the  clock  valuation  such  that 
{u  +  t){x)  =  ^{x)  +  t  for  all  x  G  C. 

A  state  of  A  is  a  pair  {s,i>),  where  s  G  S'  is  a  location  and  ^  is  a  clock 
valuation. 

A  run  of  A  is  a  finite  alternating  sequence  of  states  and  delayed  transi¬ 


tions  e  = 

=  {Si- 


(So,^0)  - ' 

,  G-j,  Ri) 


{sijixi)  where  ti  G  and 

G  E,  subject  to  the  conditions: 


1.  for  all  0  ^  i  ^  n  —  1,  ixi  +  ti+i  satisfies  (fi+i:  and 

2.  for  all  0  ^  i  ^  n  —  1,  i.'i+i{x)  =  Vi{x)  +  U+i  for  all  x  G  C  \  Ri+i,  and 

Vi+i{x)  =  0  for  all  x  G  Ri+i- 

Each  ti  is  interpreted  as  the  time  delay  between  the  firing  of  transitions,  and 
each  state  {si,Vi),  for  z  ^  1,  records  the  data  immediately  following  transition 
6i.  We  often  abuse  notation  and  write  runs  in  the  form  (sq,  vq)  (si,  vi) 

. . .  (s„,  Vn)  to  highlight  the  run’s  events. 

An  A- configuration  is  a  finite  set  of  states  of  A.  Given  an  A-configuration  G, 
a  G-initialized  run  is  a  run  whose  first  state  belongs  to  G.  An  accepting  run,  on 
the  other  hand,  is  a  run  whose  last  state  belongs  to  S'/. 

A  timed  event  is  a  pair  (t,  a),  where  t  G  M"*"  is  a  delay  and  a  G  A  is  an  event. 
A  timed  trace  is  a  finite  sequence  of  timed  events,  in  which  each  delay  represents 
the  time  elapsed  since  the  occurrence  of  the  previous  event  (or  since  time  0  in 
the  case  of  the  first  event).  We  write  TT  to  denote  the  set  of  all  timed  traces. 

Given  a  run  e  =  (so,r'o)  — ^  ^  ...  — ^  (Sn^^n),  we  produce  an 

associated  timed  trace  tt(e)  A  ((G,  oi),  (^2,  02),  ■  •  ■  ,itn,a„)). 


9 


Let  G  be  an  ^-configuration.  We  define  the  G-initialized  timed  language  of 
A  to  be  the  set 

L{A[G])  =  {tt(e)  I  e  is  an  accepting  G-initialized  run  of  A} 

of  dense-time  timed  traces  accepted  by  A,  when  started  in  configuration  G.  A 
very  important  special  case  is  that  in  which  G  =  Sq  x  {0},  where  0  is  the  clock 
valuation  mapping  every  clock  to  0.  In  that  case,  we  write 

L{A)  =  L{A[So  X  {0}]) 

to  denote  the  timed  language  accepted  by  A  (from  its  standard  initial  config¬ 
uration).  Another  notable  instance  is  that  of  a  singleton  A-configuration  G  = 
{(s,  i^)},  in  which  case  we  write  L{A[{s,v)\)  rather  than  L(A[{(s,  i^)}]).  Lastly, 
observe  that  L(A[0])  =  0. 

Remark  5.  The  reader  will  have  noticed  that  our  timed  trace  semantics  is  weakly 
monotonic,  in  that  multiple  events  are  allowed  to  occur  ‘simultaneously’  (i.e., 
with  no  delay  between  them) .  None  of  the  results  of  Section  4  are  affected  if  one 
adopts  instead  a  strongly  monotonic  semantics,  in  which  all  delays  are  required  to 
be  strictly  positive.  The  effects  of  a  strongly  monotonic  semantics  on  Theorem  20 
in  Section  5  are  listed  in  a  footnote  attached  to  the  statement  of  the  theorem. 

Example  6.  We  reproduce  below  from  [5]  an  example  of  a  timed  automaton^  A, 
equipped  with  a  single  clock,  that  cannot  be  complemented:  there  does  not  exist 
a  timed  automaton  A!  such  that  L{A')  =  TT  \  L{A). 


a  a  a 


The  complement  of  L{A)  contains  all  timed  traces  in  which  no  pair  of  a’s  is 
separated  by  exactly  one  time  unit.  Intuitively,  since  there  is  no  bound  on  the 
number  of  a’s  that  can  occur  in  any  unit-duration  time  interval,  any  timed  au¬ 
tomaton  capturing  the  complement  of  L{A)  would  require  an  unbounded  number 
of  clocks  to  keep  track  of  the  times  of  all  the  a’s  within  the  past  one  time  unit. 
A  formal  proof  that  A  cannot  be  complemented  is  given  in  [13]. 

4  Decidable  Cases  of  Language  Inclusion 

We  now  present  two  decidable  instances  of  the  language  inclusion  problem 
L{B)  C  L{A),  where  A  and  B  are  two  timed  automata.  The  main  result  is 

^  Our  representation  of  timed  automata  follows  standard  practice:  start  locations  are 
depicted  with  an  incoming  arrow  not  originating  from  any  other  location,  and  ac¬ 
cepting  locations  are  doubly  circled.  Clock  constraints  are  decorated  with  question 
marks  (?),  whereas  clock  resets  use  assignment  symbols  (:=).  The  rest  of  the  notation 
is  self-explanatory. 
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Theorem  17  in  Section  4.1,  which  asserts  that  the  problem  is  decidable  provided 
that  A  is  restricted  to  having  at  most  one  clock.  Theorem  19  in  Section  4.2,  on 
the  other  hand,  states  that  the  problem  is  also  decidable  if  A  does  not  make  use 
of  constants  other  than  0  in  its  clock  constraints. 


4.1  Single-clock  restriction 

The  main  result  of  this  section  is  Theorem  17,  which  we  present  after  a  number 
of  preliminaries.  We  shall  assume  throughout  two  fixed  timed  automata  A  = 
S^,  S^,  Sf,  C^,  E^)  and  B  =  {E^ ,  S^,  ,  Sf  ,C^ ,  E^),  with  A  having  a 

single  clock  x.  Let  us  moreover  postulate,  without  loss  of  generality,  that  A  and 
B  share  the  same  alphabet  E  =  E^  =  E^ ,  and  do  not  have  any  other  data  in 
common. 

The  overall  strategy  for  deciding  whether  L{B)  C  L{A)  is  to  explore  a  certain 
‘joint  state  space’  of  A  and  B,  either  making  sure  throughout  that  whenever  B 
can  accept  a  particular  timed  trace  then  so  can  A,  or  otherwise  answering  the  lan¬ 
guage  inclusion  query  in  the  negative.  As  described,  this  procedure  requires  that 
A  be  determinized,  and  therefore  involves  exploring  a  potentially  infinite  state 
space.  We  ensure  termination  both  by  determinizing  A  on-the-fly,  as  needed, 
and  by  constructing  a  suitable  well-quasi-order  which  forces  us  only  to  explore 
a  finite  portion  of  the  entire  state  space. 

Since  A  has  only  one  clock,  states  of  A  are  simply  pairs  (s,u),  with  s  €  S^, 
and  u  G  M"*"  representing  the  value  of  clock  x.  Define  an  A/ B -configuration  to 
be  a  pair  (G,  (9,  v)),  where  G  is  an  A-configuration  (a  finite  set  of  states  of  A), 
and  (g,  n)  is  a  single  state  of  B. 

Intuitively,  an  A/i?-configuration  will  be  used  to  represent  a  particular  state 
that  B  can  be  in  having  performed  some  timed  trace  tt,  together  with  the  set 
of  all  states  that  A  can  be  in  having  performed  the  same  timed  trace  tt.  AjB- 
configurations  can  therefore  be  viewed  as  states  of  the  ‘synchronous  parallel 
composition’  of  A  and  B,  in  which  A  has  been  determinized. 

For  (g,  n)  a  state  oi  B,  t  G  M"*",  and  a  G  E,  let 

Succ'®((g,  v),tj  a)  =  {('Z^  I  (9;  ('?^  ^')  is  ^  run  of  B} 

be  the  set  of  (f,  a)-successor  states  of  (g,  i^).  A  similar  definition  yields  a  func¬ 
tion  Succ'^  for  the  timed  automaton  A,  which  we  lift  to  A-configurations  in  the 
obvious  way: 

Succ"^(G,  t,  a)  A  {(s',u')  |  3(s,m)  G  G.  {s,u)  {s',u')  is  a  run  of  A}  . 

Note  that  Succ'^(G,  t,  a)  is  again  an  A-configuration,  albeit  possibly  empty. 

Let  El  =  (Gi,  (gi,  i^i))  and  /2  =  (G2,  (g2,  J^2))  be  two  A/B-configurations, 
and  let  a  G  A  be  an  event.  Postulate  an  a-transition  from  Ei  to  T2  (writ¬ 
ten  El  E2)  if  there  exists  t  G  M"*"  such  that  G2  =  Succ"^(Gi, f, a)  and 
{<12,1^2)  G  Succ^((gi,  i^i),  t,  a);  moreover,  if  t  =  0  is  a  valid  such  witness,  we 
say  that  the  a-transition  is  immediate.  In  this  way,  we  view  the  collection  of  all 
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^/^-configurations  as  an  infinite  labeled  transition  system  Q.  For  F  and  F'  two 
^/B-configurations,  we  say  that  F'  is  reachable  from  F  if  there  exists  a  finite 
path  F  . . .  dhis.  r'  from  F  to  F'  in  We  include  paths  of  length  0  in  this 
definition,  so  that  any  A/F-configuration  is  reachable  from  itself. 

Let  {G,{q,v))  be  an  yl/F-configuration.  We  say  that  {G,{q,v))  is  bad  if 
both  q  is  accepting  {q  G  Sj),  and  none  of  the  states  in  G  are  accepting  (for 
all  (s,u)  G  G,  s  ^  S^).  We  also  say  that  {G,{q,i'))  is  doomed  if  some  bad 
^/F-configuration  is  reachable  from  (G,{q,iy)).  In  particular,  every  bad  A/B- 
configuration  is  doomed.  An  A/F-configuration  is  safe  if  it  is  not  doomed. 

Lemma  7.  For  any  A/ B -configuration  F  =  (G,  (g,  i^)),  F(F[(g,  ^)])  C  L{A[G]) 
iff  F  is  safe. 

Proof.  Suppose  first  that  F  is  safe,  and  let  ((ti,  ai), . . .  ,  {tn,  an)}  €  L(B[(q,  v)]). 
There  is  then  a  corresponding  path  F  Fi  Fn  =  {Gn,  {qnj  ^'n))  in 

Q,  where  qn  G  Sj .  Since  F  is  safe,  Fn  cannot  be  bad,  and  therefore  there  must  be 
some  {s,u)  G  G„  with  s  G  S^.  We  conclude  that  A  must  have  a  G-initialized  run 
ending  in  {s,u)  that  yields  the  timed  trace  ((ti,ai),...  ,(t„,a„)),  which  shows 
that  F(F[(g,  i/)])  C  L{A[G])  as  required. 

The  other  direction  proceeds  similarly  and  is  left  to  the  reader.  □ 

Let  us  call  any  A/F-configuration  of  the  form  {Sq  x  {0},  (g,  0)),  with  g  G  Sq  , 
an  initial  A/F-configuration.  (Recall  that  0  stands  for  the  clock  valuation  that 
maps  all  of  F’s  clocks  to  0).  We  now  have: 

Corollary  8.  F(F)  C  F(A)  iff  all  initial  A/ B -configurations  are  safe. 

Proof.  Follows  immediately  from  Lemma  7.  □ 

Corollary  8  therefore  reduces  our  language  inclusion  question  L{B)  C  F(A)  to 
a  reachability  query  on  the  infinite  labeled  transition  system  Q.  We  now  construct 
an  equivalence  relation  on  Q  by  encoding  A/F-configurations  as  words  over  a 
certain  alphabet.  This  will  enable  us  to  define  a  suitable  well-quasi-order  on  the 
resulting  quotient  labeled  transition  system. 

Let  K  be  the  largest  constant  appearing  in  any  of  the  clock  constraints  of 
A  and  F.  We  partition  M’*'  into  a  finite  collection  of  one-dimensional  regions 
REG  =  {ro,ri,...  ,r2/c+i},  as  follows:  for  0  ^  f  ^  AT,  r2i  =  {f}  and  r2i+i  = 
(z,  i  -\-  1),  and  r2/c+i  =  (AT,  oo). 

Define  an  alphabet  A  =  V  x  REG)  U  {S^  x  G^  x  REG)):  the  ‘letters’ 
it  contains  are  finite  sets  of  pairs  (s,r)  and  triples  {q,y,r),  where  s  and  g  are 
locations  of  A  and  F  respectively,  y  is  a  clock  of  F,  and  r  is  a  region.  Since 
A,  being  finite,  is  clearly  well-quasi-ordered  by  set  inclusion,  Higman’s  lemma 
states  that  the  set  A*  of  finite  words  over  A  is  well-quasi-ordered  by  the  induced 
monotone  domination  order  ^ :  pi . . .  pm  =4  h  ■  ■  -  In  if  there  exists  a  strictly 
increasing  function  /  :  {!,...  ,m}  ^  {1, .  ■ .  ,n}  such  that,  for  all  1  ^  z  ^  m. 
Pi  F  7/(i).  Note  that  this  order  is  different  from  the  ‘subword’  order  seen  in 
Example  2. 
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We  now  explain  how  to  associate  to  any  A/i?-configuration  F  =  (G,  (9, 
a  canonical  word  H{r)  G  A*.  Let  us  assume  that  the  timed  automaton  B  has 
M  clocks  j/i,...  ,yM-  If  G  =  {(si,  t6i), . . .  ,(sfc,Ufc)},  we  can  first  equivalently 
represent  F  as  the  set 

{(si,reg(ui),M-)  I  1  <  t  <  fc}  U  {{q,yj,reg{iy{yj)),iy{yj))  |  1  <  j  <  M}  , 

where  reg(t)  G  REG  denotes  the  region  to  which  the  real  number  t  G  M"*"  belongs, 
and  t  G  [0, 1)  represents  the  fractional  part  of  t. 

Since  every  pair  (si,reg(Mi))  and  every  triple  {q,yj,reg{v{yj)))  corresponds 
to  a  (singleton)  letter  of  A,  we  can  instead  write  F  as 

{(y-pVt)  I  1  <  Z  <  k  +  Mj  , 

where  each  is  one  of  the  yl-letters  in  question  (of  the  form  {(sj,  reg('Ui))}  or 
{{q,yj,  reg{i/{yj)))}),  and  each  vi  is  its  associated  fractional  part  (of  the  form  ui 
or  v{yj)). 

Finally,  let  us  group  together  yl-letters  whose  associated  fractional  parts  are 
identical,  yielding  a  new  set  of  yl-letters  paired  with  fractional  parts 


{{pi,Wi)  I  1  <  i  <  p} 

as  representation  of  F.  Here  each  pi  is  a  union  of  /r^’s,  and  the  fractional  parts 
Wi  are  all  distinct;  formally:  pi  =  lj{/i;  |  vi  =  Wi},  and  p  is  the  number  of  such 
new  pairs,  i.e.,  the  total  number  of  distinct  fractional  parts  in  F.  Note  that  some 
of  the  Pi’s  may  well  still  be  singletons.  We  then  let 

H{r)  =  p,^^p,^^...p,^^  , 

where  Zi  . .  .Zp  is  the  permutation  of  1 . . . p  that  puts  Wzi  ■  ■  ■  Wz^  in  ascending 
order. 

Example  9.  Let  si,  S2  be  two  locations  of  the  timed  automaton  yl,  and  let  q  be 
a  location  of  the  timed  automaton  B.  Suppose  that  B  has  two  clocks,  pi  and  p2- 
Let  G  =  {(si,  0.0),  (si,  0.3),  (si,  1.2),  (s2,  0.4),  (s2, 1-0)}  be  an  H-configuration, 
and  let  (g,  J^)  be  a  state  of  B,  where  v{yi)  =  0.8  and  v{y2)  =  1.3.  Finally,  let 
F  =  (G,  (9,  J^))  be  an  H/B-configuration. 

Write  To  to  represent  the  region  {0},  Tq  to  represent  the  region  (interval) 
(0,1),  ri  to  represent  the  region  {1},  and  to  represent  the  region  (interval) 
(1,2).  Then  H{F)  is  the  5-letter  word 

|(si,ro),  (s2,ri  )}  {(si,r?)}  {(si,ri),(g,y2,r?)}  {(s2,ri)}  {{q,yurl)}  . 

We  say  that  two  H/H-configurations  F  and  F'  are  equivalent,  written  F  ~  F' , 
if  F[{F)  =  F[{F').  We  also  say  that  F  is  dominated  by  F',  written  F  =4  F',  if 
(writing  F'  =  {G,{q,v)))  there  exists  G'  C  G  such  that  F  ~  {G',{q,v)).  The 
overloading  of  ^  is  justified  in  view  of  the  following: 
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Proposition  10.  For  any  A/ B -configurations  F  and  F' ,  F  4  F'  iff  FI (F)  =4 
H{F'). 

Proof.  By  straightforward  inspection  of  the  relevant  definitions.  □ 

We  earlier  showed  that  the  assertion  L{B)  C  L{A)  is  equivalent  to  showing 
that  no  bad  ^/B-configuration  is  reachable  in  Q.  Unfortunately,  since  there  are 
uncountably  many  A/B-configurations,  it  is  necessary  to  reason  in  terms  of  A- 
words  instead.  In  the  next  few  propositions,  we  develop  the  required  machinery 
to  do  this. 

We  begin  by  showing  that  ~  is  a  bisimulation  relation: 

Proposition  11.  For  any  A/ B- configurations  ri,F[  and  event  a  €  B,  if  Fi  ^ 
F[  then 

1.  for  any  F2  such  that  A  — ^  F2,  there  exists  with  F[  — ^  F^  and  A  ~  P^j 

2.  for  any  F2  such  that  F{  — ^  F2,  there  exists  A  with  A  — ^  A  and  A  ~  ^2- 

Proof.  Let  Fi,F{  be  ^/B-configurations  such  that  A  ~  r[,  and  let  A  be  an 
^/B-configuration  with  A  — ^  A-  We  must  show  that  there  exists  an  AfB- 
configuration  F^  such  that  F[  — ^  U2  and  A  ~  ^2- 

The  transition  A  A  can  be  decomposed  into  a  time  evolution  from  A 
to  A  +  ^  (for  some  t  G  M),  followed  by  an  immediate  transition  A  +  f  ^  A- 
Here  A  +  ^  represents  the  result  of  adding  t  to  all  clock  valuations  (of  both  A 
and  B)  in  A- 

Write  A  =  (G,  (g,  n))  and  r[  =  (G",  (<;',  Since  A  ~  we  have  q  =  q'. 
Moreover,  n  and  v'  must  agree  on  (i)  the  integer  parts  of  all  clocks  (if  no  greater 
than  K),  (ii)  whether  or  not  clocks  have  null  fractional  part,  and  (iii)  the  ordering 
of  the  fractional  parts  of  all  clocks.  It  easily  follows  that  there  must  exist  t'  G 
M’*'  such  that  v  1  and  v'  +  t'  are  also  in  similar  agreement;  moreover,  since 
the  relationship  A  ~  A^  E^lso  requires  the  global  matching  of  the  integer  and 
fractional  parts  of  the  clock  valuations  in  both  G  and  v  with  those  in  G'  and  v', 
we  can  in  fact  find  t'  such  that  A  +  ^  ~  A  +  i'- 

The  agreement  described  above  between  iy-\-t  and  v'  -\-F  entails  that,  for  any 
clock  constraint  (j)  G  v  +  t  satisfies  </>  iff  v'  -\-t'  satisfies  (j)  (a  formal  proof  of 
this  fact  is  an  easy  structural  induction  on  fi) .  The  same  of  course  holds  for  clock 
valuations  in  G  and  G'  with  respect  to  clock  constraints  in  .  Consequently, 
A  +  i  and  F[  +  t'  enable  exactly  the  same  transitions  of  the  timed  automata  A 
and  B. 

Let  us  therefore  define  A  to  be  the  H/H-configuration  obtained  from  F[  -\-t' 
upon  immediately  taking  the  same  a-transitions  as  those  associated  with  the 
jump  A  + 1  — *■  A-  Observe  that,  upon  taking  these  transitions,  corresponding 
clocks  in  A  + 1  and  F[  + 1'  are  (in  both  A  + 1  and  A  +  ^0  either  left  unchanged, 
or  reset  to  zero.  Since  A  +  t  ~  A  +  t^  it  easily  follows  that  A  ~  A)  as  required. 

□ 

Corollary  12.  The  relation  ~  preserves  badness,  doom,  and  safety:  for  any 
A/ B- configurations  F  ~  A,  F  is  bad  iff  F'  is  bad,  F  is  doomed  iff  F'  is  doomed, 
and  F  is  safe  iff  A  is  safe. 
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Proof.  The  case  of  badness  is  immediate,  whereas  doom  and  safety  follow  from 
the  preservation  of  badness  and  Proposition  11.  □ 

We  are  therefore  only  interested  in  yl/B-configurations  up  to  ^-equivalence, 
and  thus  define  a  quotient  labeled  transition  system  Ti.  C  A*  as  follows: 

Ti  =  =  {H{r)  I  r  is  an  ^/B-configuration}  , 

and,  for  Wi ,  W2  G  H  and  a  £  S,  postulate  a  transition  Wi  W2  if,  for  all 
A  G  there  exists  A  G  H~^{W2)  with  A  A-  Lastly,  let 

Ho  =  {H{r)  I  T  is  an  initial  A/B-configuration} 

denote  the  (finite)  set  of  initial  words  of  H. 

Corollary  13.  For  any  Wi,W2  G  H  and  a  £  E,  Wi  W2  ijf  there  exist 
A/ B -configurations  A  G  and  A  G  H~^{W2)  with  A  A- 

Proof.  Follows  immediately  from  Proposition  11.  □ 

Given  a  word  IF  G  let 

Succ(lF)  =  {W'  £n  \  3a£  E  .W  ^W'} 

denote  the  set  of  successors  of  W  in  H. 

Proposition  14.  For  any  word  W  £H,  the  set  Succ(lF)  is  finite  and  effectively 
computable. 

Proof.  Given  IF,  it  is  easy  to  construct  an  Gl/B-configuration  F  such  that 
H{F)  =  IF.  Then,  given  any  a  £  E,  note  that  there  are  only  finitely  many 
Gl/B-configurations  F'  with  transition  F  — ^  F'  immediately  enabled,  the  list 
of  which  can  readily  be  computed. 

Next,  observe  that,  for  any  t  £  M'*',  B(F-l-t)  is  a  word  with  the  same  number 
of  letters  as  IF,  the  finite  collection  of  which  is  also  straightforward  to  enumerate. 
For  each  of  these  words,  and  for  every  event  a  £  E,  computing  the  immediate 
a-successors  can  again  be  done  effectively  by  simply  examining  a  corresponding 
^/B-configuration.  Note  that,  according  to  Gorollary  13,  the  particular  choices 
of  A/U-configuration  we  make  to  compute  successors  are  unimportant.  Since  the 
function  B,  which  converts  A/B-configurations  back  into  7i-words,  in  clearly 
computable,  what  we  have  just  described  is  an  effective  algorithm  to  generate 
the  set  Succ(lF).  □ 

Next,  we  show  that  the  wqo  ^  on  is  a  simulation  relation: 

Lemma  15.  Let  fFi,lF(  £  H  be  two  words  such  that  Wi  =4  kFi-  Then,  for  any 
a  £  E,  W2  £  H,  and  transition  TF(  — ^  IF^,  there  exists  a  word  IF2  G  H  such 
that  fFi  ^  W2  and  IF2  ^  VF^. 
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Proof.  Let  Wi,  W(,  and  W2  be  as  above,  and  let  A  S  H~^{Wi),  r[  G  H~^{W[), 
and  G  H~^{W!2)  be  such  that  there  is  a  transition  r[  — ^  7^2 •  By  Corollary  13, 
it  suffices  to  show  there  exists  A  ^  Pl^  such  that  A  CA  7^2. 

Write  A  =  r[  =  and  =  (G2,  (<72,  t'ji))-  Since 

r[  GA  A2,  by  definition  there  must  be  some  t  G  M"*"  such  that  G2  =  Succ'^(G']^,  t,  a) 
and  ((721^2)  G  Succ'®((gJ,  i/j),  t,  a).  Since  Wi  W(,  Pi  =4  P[,  i.e.,  there  ex¬ 
ists  G'l  C  G'l  such  that  Pi  ~  {G'l,{qi,v[)).  Write  A"  =  {G'(,{q'i,v[)),  G'f  = 
Succ"^(G",  t,  a),  and  P2  =  (G2 ,  (92)  ^2))-  We  then  have  Pi  ~  A"  and  A('  P^'. 

We  can  therefore  invoke  Proposition  11  to  conclude  that  there  exists  an  A/B- 
configuration  P2  with  Pi  GA  A2  and  P2  ~  P2  ■ 

Now  notice  that,  since  G"  C  G'l,  G2  =  Succ'^(G",  t,  a)  C  Succ'^(Gi ,  t,  a)  = 
G'2,  and  hence  Pif  ^  A^.  Combining  this  fact  with  P2  ~  P^,  we  easily  see  that 
^2  ^  A2,  as  required.  □ 

(Note  that  is  also  a  simulation,  but  we  will  not  need  this.) 

Let  W  G  77  be  a  word  and  let  A  G  77“^ (W)  be  a  corresponding  A/A- 
configuration.  We  attach  the  expressions  bad,  doomed,  and  safe  to  W  according 
to  whether  they  respectively  apply  to  A.  (Note  that,  in  doing  so,  the  particular 
choice  of  A  is  unimportant,  thanks  to  Corollary  12.)  If  W  is  doomed  and  if  i  G  N 
is  the  length  of  a  shortest  path  from  W  to  a  bad  word,  let  us  say  that  W  is 
i-doomed.  Thus,  in  particular,  bad  words  are  0-doomed. 

Proposition  16.  Let  W,W  &  Ti.  he  two  words  such  that  W  W .  If  W  is 

i-doomed,  then  W  is  j-doomed  for  some  j  ^  i. 

Proof.  Follows  immediately  from  Lemma  15  and  the  following  observation:  for 
any  A/A-configurations  A  and  A',  if  A  =4  P'  and  A'  is  bad,  then  so  is  A.  □ 

Figure  1  gives  an  algorithm  for  deciding  whether  A(A)  C  A(A).  This  algo¬ 
rithm  uses  two  set  variables,  ToExplore  and  Explored,  in  which  to  store  words. 
Its  correctness  is  the  subject  of  Theorem  17. 


let  ToExplore  =  TLo 
let  Explored  —  0 
repeat  forever 
repeat 

if  ToExplore  =  Ih  then  return  ‘L{B)QL{A)’ 
remove  some  W  from  ToExplore 
if  W  is  bad  then  return  ‘ L(B)  ^  L{A)’ 
until  VF  G  Explored  .V 
let  ToExplore  =  ToExplore  U  Succ(lF) 
let  Explored  —  Explored  U  {IF}  . 

Fig.  1.  Algorithm  to  decide  whether  L{B)  C  L{A) 
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Theorem  17.  Let  A  and  B  he  two  timed  automata,  with  A  having  at  most  one 
clock.  Then  the  language  inclusion  question  of  whether  L{B)  C  L{A)  is  decidable. 

Proof.  From  Corollary  8,  we  know  that  L{B)  C  L{A)  iff  all  initial  words  are  safe. 
We  now  show  that  the  latter  is  precisely  what  the  algorithm  given  in  Figure  1 
decides. 

We  first  observe  that  the  algorithm  terminates:  indeed,  if  it  did  not,  since 
ToExplore  is  always  a  finite  set,  an  infinite  collection  Wi,  W2, ...  of  words  would 
over  time  be  added  to  Explored,  each  new  word  having  the  property  that  it  does 
not  dominate  any  of  its  predecessors.  This  would  constitute  an  infinite  non¬ 
saturating  sequence,  directly  contradicting  Higman’s  lemma. 

Next,  it  is  clear  that  if  the  algorithm  returns  ‘L{B)  ^  L{Ay,  then  that 
statement  is  accurate:  some  bad  word  is  reachable  from  one  of  the  initial  words 
in  Tio.  On  the  other  hand,  if  ToExplore  ever  comes  to  contain  a  bad  word,  then 
the  algorithm  will  inevitably  return  ‘L{B)  ^  L{A)\ 

We  now  claim  that,  if  ToExplore  ever  comes  to  contain  a  doomed  word, 
then  eventually  the  algorithm  will  also  return  ‘L{B)  ^  L{A)’.  Suppose,  on  the 
contrary,  that  in  a  given  complete  execution  of  the  algorithm,  the  lowest  doom 
index  achieved  by  ToExplore  is  some  t  ^  1;  i.e.,  at  some  point,  an  t-doomed 
word  W  belonged  to  ToExplore,  and  for  every  other  word  V  to  have  belonged 
to  ToExplore,  V  was  either  safe  or  j-doomed,  for  some  j  ^  i.  Since  W  is  i- 
doomed,  one  of  its  successors  in  Succ(bF)  must  be  (i  —  l)-doomed.  Thus  when 
W  was  examined  in  the  inner  repeat  loop,  it  cannot  have  satisfied  the  exit 
condition  VF  S  Explored.  V  ^  W,  otherwise  Succ(VF)  would  have  been  added  to 
ToExplore,  contradicting  our  minimal  choice  of  i.  It  follows  that  there  must  have 
been  some  word  V  G  Explored  with  V  =4  W ,  from  which  we  deduce,  according  to 
Proposition  16,  that  V  is  j-doomed  for  some  j  ^  i.  But  P’s  presence  in  Explored 
implies  that  Succ(P) — which  contains  a  (j  — i)-doomed  word — was  at  some  point 
added  to  ToExplore.  This  again  contradicts  our  minimal  choice  of  i  and  shows 
that,  if  any  initial  word  in  TLo  fails  to  be  safe,  then  the  algorithm  will  return 
^L{B)  ^  L{A)’,  as  required.  □ 

4.2  Null-constant  restriction 

We  now  show  that  the  language  inclusion  question  L{B)  C  L{A)  is  decidable 
even  if  both  A  and  B  are  allowed  arbitrarily  many  clocks,  provided  that  A  never 
compare  its  clocks  to  any  constant  other  than  0. 

A  timed  automaton  is  said  to  be  deterministic  if  it  has  a  unique  start  location, 
and  if,  whenever  two  transitions  from  a  common  location  are  labeled  with  the 
same  event,  then  their  clock  constraints  are  disjoint. 

The  following  result  makes  use  of  a  construction  similar  to  that  given  in  [28]. 

Lemma  18.  Let  A  he  a  timed  automaton  with  0  the  only  constant  appearing 
among  its  clock  constraints.  Then  one  can  construct  a  deterministic  timed  au¬ 
tomaton  A'  which  accepts  the  same  timed  language:  L{A)  =  L{A').  (Ln  addition, 
A'  has  a  single  clock  and  uses  only  the  constant  0  in  its  clock  constraints.) 
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Proof.  Let  A  be  as  above.  The  idea  is  to  construct  a  deterministic  version  of  the 
region  automaton^  of  A.  We  will  in  addition  equip  this  region  automaton  with  a 
single  clock,  so  as  to  keep  track,  on  any  transition,  of  whether  a  strictly  positive 
amount  of  time  has  elapsed  (since  the  firing  of  the  last  transition)  or  not.  Since 
A  is  itself  unable  to  make  any  finer  timed  distinctions,  the  resulting  automaton 
will  be  equivalent  to  it. 

Let  A  =  {S,S,So,Sf,C,E),  with  C  =  {xi,...  ,xm}  the  set  of  clocks  of 
A.  A  clock  region  of  A  is  simply  an  M-tuple  of  bits,  with  each  bit  recording 
whether  its  corresponding  clock  has  current  value  0  or  not.  Let  REG  denote 
the  set  of  all  clock  regions.  Define  a  basic  location  to  be  a  pair  (s,r),  with 
s  G  S'  a  location  of  A,  and  r  G  REG  a  clock  region.  For  a  G  A,  postulate  a 
basic  transition  (s,r)  — ^  if  an  immediate  transition  between  (s,r)  and 

{s',r')  is  consistent  with  some  immediate  transition  of  A,  and  postulate  a  basic 

transition  (s,r)  {s',r')  if  a  delayed  transition  between  (s,r)  and  {s',r')  is 

consistent  with  some  (strictly  positive)  time-delayed  transition  of  A. 

We  now  construct  a  deterministic  timed  automaton  A!  as  follows:  its  alphabet 
is  the  same  as  that  of  A,  S.  Its  set  of  locations  is  V{S  x  REG) — in  other  words, 
locations  of  A'  are  simply  sets  of  basic  locations.  Its  unique  start  location  is 

X  {0},  where  0  represents  the  region  consisting  entirely  of  null  bits.  The 
accepting  locations  of  A'  are  those  which  contain  at  least  one  basic  location 
whose  first  component  is  accepting  (belongs  to  Sf).  A'  has  a  single  clock,  z, 
which  is  reset  on  every  transition.  Lastly,  for  Q,  Q'  two  locations  of  A'  and  a  G  E, 
define  a  transition  Q  Q'  if  Q'  =  {(s',  r')  |  3(s,  r)  G  Q.  (s,  r)  (s',  r')},  and 
likewise  for  Q  Q' .  In  writing  Q  Q'  we  denote  the  a-labeled  transition 
from  Q  to  Q'  which  is  constrained  by  z  >  0  and  which  subsequently  resets  z, 
whereas  Q  Q'  represents  the  same  transition,  but  constrained  by  z  =  0 
rather  than  z  >  0. 

It  is  readily  seen  that  A  is  deterministic,  and  that  it  accepts  the  same  timed 
language  as  A.  The  latter  rests  on  the  observation  that,  whenever  A  accepts  a 
timed  trace  tt,  A  also  accepts  any  timed  trace  which  is  identical  to  tt  except  for 
the  precise  non-zero  values  of  all  strictly  positive  delays.  □ 

Theorem  19.  Let  A  and  B  be  two  timed  automata,  with  0  the  only  constant 
appearing  among  the  clock  constraints  of  A.  Then  the  language  inclusion  question 
of  whether  L{B)  C  L{A)  is  decidable. 

Proof.  Follows  immediately  from  Lemma  18,  the  fact  that  deterministic  timed 
automata  can  be  complemented,  the  fact  that  timed  automata  are  closed  under 
intersection,  and  the  well-known  fact  that  language  emptiness  is  decidable  [5]. 
(Alternately,  one  could  directly  invoke  Theorem  17,  since  by  Lemma  18  A  is 
equivalent  to  a  timed  automaton  equipped  with  a  single  clock.)  □ 

®  The  region  automaton  construction,  introduced  in  [5],  takes  as  input  a  timed  au¬ 
tomaton  A  and  produces  an  untimed  automaton  that  accepts  the  untimed  language 
of  A:  the  very  same  sequences  of  events,  without  the  delays. 
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5  Undecidability  of  Universality  with  Minimal  Resources 

In  Section  4,  we  examined  two  decidable  instances  of  the  language  inclusion 
problem  between  timed  automata.  It  turns  out  that  these  are,  for  all  practical 
purposes,  the  only  decidable  instances,  at  least  in  terms  of  placing  restrictions 
on  the  resources  of  timed  automata  (number  of  clocks,  number  of  locations, 
magnitude  of  clock  constraints,  and  size  of  alphabet). 

To  make  this  statement  more  precise,  we  consider  a  special  case  of  language 
inclusion,  namely  the  universality  problem  (whether  a  timed  automaton  accepts 
every  timed  trace).  For  arbitrary  timed  automata,  this  problem  was  shown  to 
be  undecidable  in  [5].  We  sharpen  this  result  in  the  following  theorem: 

Theorem  20.  For  A  a  timed  automaton,  the  universality  question  of  whether 
L{A)  =  TT  remains  undecidable  under  any  of  the  following  restrictions: 

1.  A  has  two  clocks  and  a  one-event  alphabet'^,  or 

2.  A  has  two  clocks  and  uses  a  single  constant  in  clock  constraints,  or 

3.  A  has  a  single  location  and  a  one-event  alphabet^,  or 

4-  A  has  a  single  location  and  uses  a  single  constant  in  clock  constraints. 

Remark  21.  We  recall  that  diagonal  clock  constraints  (of  the  form  x  —  y  K  k) 
are  not  allowed  in  our  model  of  timed  automata.  This  restriction  considerably 
complicates  cases  (3)  and  (4),  since  multiple  locations  cannot  simply  be  encoded 
through  the  ordering  of  clock  values,  as  is  otherwise  standard  [28]. 

Proof.  (Sketch.)  In  all  four  cases,  the  idea  of  the  proof  is  similar  to  that  presented 
by  Alur  and  Dill  in  [5].  Given  a  two-counter  machine  M,  one  constructs  a  timed 
automaton  A  satisfying  the  relevant  restrictions  and  which  moreover  rejects 
precisely  those  timed  traces  that  correspond  (via  a  certain  encoding)  to  the 
halting  computations  of  M.  It  follows  that  M  halts  iff  L{A)  yf  TT.  Since  the 
halting  problem  is  undecidable  for  two-counter  machines,  so  is  the  universality 
problem  for  the  corresponding  type  of  timed  automata. 

Note  that  Alur  and  Dill’s  result  imposes  no  restrictions  on  timed  automata, 
contrary  to  Theorem  20.  Our  encodings  and  constructions — in  particular  those 
pertaining  to  cases  (3)  and  (4) — are  therefore  significantly  more  intricate.  Full 
details  can  be  found  in  [22].  □ 

Note,  of  course,  that  the  assertion  L{A)  =  TT  reduces  to  L{B)  C  L{A),  if 
B  is  chosen  to  be  any  timed  automaton  that  accepts  every  timed  trace. 

An  interesting  consequence  of  Theorem  20  (cases  (1)  and  (3))  is  that  the 
‘communication’  structure  of  timed  automata  plays  no  role  in  the  undecidability 
of  universality.  This  suggests  that  the  type  of  questions  considered  in  this  paper 
are  no  easier  to  handle  in  an  event-less  timed  framework  than  they  are  here. 

Over  strongly  monotonic  time,  we  require  two  events  in  A’s  alphabet. 
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6  Conclusion  and  Future  Work 

The  main  contribution  of  this  paper  is  an  algorithm  to  decide  the  timed  au¬ 
tomaton  language  inclusion  question  of  whether  L{B)  C  L{A),  provided  A  has 
at  most  one  clock.  We  have  also  shown  that  the  problem  is  decidable  if  the  only 
constant  appearing  among  the  clock  constraints  of  A  is  zero.  Moreover,  these 
two  cases  are  essentially  the  only  decidable  instances  of  language  inclusion,  in 
terms  of  restricting  the  resources  of  timed  automata. 

From  a  practical  point  of  view,  our  main  decidability  result  enables  the  auto¬ 
mated  verification  of  (timed)  systems  against  functional  specifications  expressed 
as  finite-state  machines  equipped  with  a  single  clock.  We  believe  this  to  be  a 
substantial  improvement  in  expressiveness  over  (untimed)  finite-state  machines, 
although  the  feasibility  and  usefulness  of  this  approach  will  need  to  be  demon¬ 
strated  through  case  studies. 

Finally,  let  us  list  two  interesting  directions  for  future  work: 

—  What  is  the  complexity  of  our  algorithm? 

—  Can  we  extend  our  decidability  result  to  Biichi  timed  automata? 
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